CVE-2026-23841
📋 TL;DR
CVE-2026-23841 is a cross-site scripting (XSS) vulnerability in Movary web application versions prior to 0.70.0. Attackers can inject malicious scripts via the 'categoryCreated' parameter, potentially stealing user sessions or performing actions on behalf of users. All users running Movary versions below 0.70.0 are affected.
💻 Affected Systems
- Movary
📦 What is this software?
Movary by Leepeuker
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, take over accounts, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers steal user session cookies, perform unauthorized actions on behalf of users, or inject malicious content into the application.
If Mitigated
With proper input validation and output encoding, the attack would be prevented, though the vulnerable code path remains.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited and require minimal technical skill when public details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.70.0
Vendor Advisory: https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v
Restart Required: Yes
Instructions:
1. Backup your current Movary installation and database. 2. Download version 0.70.0 from GitHub releases. 3. Replace existing files with new version. 4. Restart your web server. 5. Verify the application loads correctly.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads targeting the categoryCreated parameter.
Input Validation Filter
allImplement server-side input validation to sanitize the categoryCreated parameter before processing.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Disable or restrict access to the vulnerable endpoint if not critical for functionality
🔍 How to Verify
Check if Vulnerable:
Check if your Movary version is below 0.70.0 by examining the application version in the interface or checking the installation files.Check Version:
Check the Movary web interface or examine the application's version file if available.Verify Fix Applied:
After upgrading to 0.70.0, test the categoryCreated parameter with basic XSS payloads like <script>alert('test')</script> to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing script tags or JavaScript in the categoryCreated parameter
- Unusual parameter values in categoryCreated field
Network Indicators:
- HTTP requests with suspicious payloads in query parameters
- Multiple requests with encoded script tags
SIEM Query:
web.url:*categoryCreated=* AND (web.url:*script* OR web.url:*javascript* OR web.url:*onload* OR web.url:*onerror*)